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WO 98/14915 PCT/CA97/00717 

A METHOD OF ASSEMBLING AND PROGRAMMING A SECURE 
PERSONAL IDENTIFICATION NUMBER ENTRY DEVICE 

TECHNICAL FIELD 

The present invention relates to secure personal identification number 
entry devices such as point-of-sale financial transaction terminals and in particular to 
a method of assembling and programming a secure personal identification number 
5 entry device. 

BACKGROUND ART 

Financial transaction terminals to read data stored on credit, debit 
and/or smart cards to complete financial transactions are known. Existing terminals 
10 such as automated banking machines (ABM*s) require users to walk to a central retail 
platform to complete a financial transaction. More recently point-of-sale debit card 
terminals have been developed which allow a user to enter remotely their personal 
identification number (PIN) into a secure PIN entry device (SPED) together with a 
financial transaction request after their credit, debit or smart card has been read to 
15 access their account at a financial institution and withdraw funds directly to complete 
the financial transaction. 

In order to maintain security, multi-digit PINs are used which are 
known only to the users and to the financial institutions issuing the debit, credit or 
smart cards. When a PIN is entered into the SPED by a user, the SPED encrypts the 
20 PIN via security software before transmitting the encrypted PIN to the financial 
institution together with the financial transaction request. Encrypting the PIN 
substantially reduces the risk of the PIN becoming known to other parties. 

Conventional SPEDs typically include a tamper resistant casing which 
is either hermetically sealed or uses one way screws so that access to the internal 
25 components of the SPED cannot be achieved without physical evidence. The security 
software which includes the cryptographic keys and encryption algorithms used by the 
SPED is stored in a secure manner using a single integrated circuit design having on- 
board memory. 
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In order to maximize security, the SPED security software must be 
protected to inhibit access to and/or alteration of the encryption algorithms. This can 
be achieved by using a mask programmed device or a one-time programmable (OTP) 
device. 

Mask programmed devices provide a good solution only if the 
encryption algorithms and SPED system software are identical for large groups of 
financial institutions and card issuers. Unfortunately, the encryption algorithms used 
by the financial institutions and card issuers differ for each type of card and from 
country to country. Moreover, the encryption algorithms tend to change as each 
financial institution develops improvements to the encryption algorithms to improve 
security. These differences in SPED operating software make the use of mask 
programmed devices unsuitable. 

In contrast, OTP devices provide greater flexibility allowing the SPED 
security and system software to be tailored for each specific financial institution 
and/or card issuer. During the manufacture of conventional SPEDs incorporating 
OTP devices, the OTP devices are firstly programmed with the SPED system and 
security software. The OTP devices are then bumed with a security bit. Following 
this, the printed circuit board (PCB) within the SPED is populated with its internal 
electronic components including the programmed OTP device and the SPED is fully 
assembled. Following this, the SPED is tested and if the results of the tests are 
satisfactory, the SPED casing is permanently or hermetically sealed. 

The above manufacturing process is usually performed for specific 
customers and in ordered quantities and only after the purchase of the components of 
the SPED. Component programming lead times must therefore be taken into account 
for the OTP device programming steps thereby increasing the SPED manufacturing 
process time. Accordingly, improved methods of assembling and programming 
SPEDs are desired. 

It is therefore an object of the present invention to provide a novel 
method of assembling and programming a secure personal identification number entry 
device such as a point-of-sale financial transaction terminal. 
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D1SCLOSURE OF THE INVENTION 

Broadly stated, the present invention provides a novel method of 
assembling and programming a secure personal identification number entry device 
5 (SPED) which allows the printed circuit board within the SPED to be populated in 
large batches. In one embodiment, the method includes the steps of populating a 
printed circuit board with the internal electronic components of the SPED including 
the OTP secure integrated circuit device and then assembling the SPED. Once 
assembled, the OTP secure integrated circuit device on the printed circuit board is 
1 0 programmed with the SPED system and security soAware by way of an external serial 
port on the SPED. Following this, the SPED is burned with a security bit and the 
SPED is tested. After testing, the SPED is permanently or hermetically sealed to 
inhibit access to the fully programmed OTP secure integrated circuit device within the 
SPED. 

1 5 ^ another embodiment, the method includes the step of programming 

the OTP secure integrated circuit device with the SPED system software, test function 
software and a security software applications interface. The SPED printed circuit 
board is then populated with the internal electronic components of the SPED 
including the OTP secure integrated circuit device and the SPED is assembled. Once 

20 assembled, the SPED is tested and then permanently or hermetically sealed. After 
permanently or hermetically sealing the SPED, the OTP secure integrated circuit 
device is programmed with the SPED security software and is then burned with the 
security bit by way of an external serial port. 

According to one aspect of the present invention there is provided a 

25 method of assembling and programming a secure personal identification number entry 
device, said secure personal identification number entry device including an outer 
casing, input means on said casing to allow financial transaction data including a 
personal identification number or a password to be entered therein, a card reader 
accommodated by said outer casing to receive and read a credit, debit or smart card, a 

30 processor within said outer casing and in communication with said input means and 
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card reader, said processor including a one-time programmable secure integrated 
circuit device to encrypt said persona] identification number or password and a 
transmitter to transmit said financial transaction data including the encrypted personal 
identification number or password to a financial institution for processing, said 
method comprising the steps of: 

(i) populating a printed circuit board with electronic components forming 
said processing means including said one-time programmable secure integrated circuit 
device; 

(ii) assembling said secure personal identification number entry device; 
and 

(m) programming said one-time programmable secure integrated circuit 

device with security software including an encryption algorithm by way of an external 
port on said outer casing. 

According to another aspect of the present invention there is provided a 
secure personal identification number entry device comprising: 

an outer casing; J 

input means on said outer casing to allow financial transaction data 
including a personal identification number or password to be entered therein; 

a card reader accommodated by said outer casing.to receive and read a 
credit, debit or smart card; 

a processor within said outer casing and in communication with said 
input means and said card reader, said processor including a one-time programmable 
secure integrated circuit device to encrypt said personal identification number or 
password; 

a transmitter to transmit said financial transaction data including the 
encrypted personal identification number or password to a financial institution for 
processing; and 

an external port on said outer casing electrically connected to said 
processor to allow said one-time programmable secure integrated circuit device to be 
programmed with security software after assembly of said secure personal 
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identification number entry device. 

According to still yet another aspect of the present invention there is 
provided in a method for assembling and programming a secure personal 
identification number entry device to generate a financial transaction request from 
5 entered financial transaction data including an encrypted personal identification 
number or password, the improvement comprising the step of: 
(0 programming said secure personal identification number entry device 

with security software including an encryption algorithm by way of an external port 
on said secure personal identification number entry device after said secure personal 
1 0 identification number entry device has been assembled. 

The present invention provides advantages in that manufacturing lead 
times due to programming operations are reduced while increasing security and 
maintaining high programming flexibility. 


15 BRIEF DESCRIPTION OF THE DRAWING 

Embodiments of the present invention will now be described more 
fully with reference to the accompanying drawings in which: 

Figure 1 is a schematic representation of a financial transaction system; 
Figure 2 is a perspective view of a portable, radio frequency financial 
20 transaction terminal utilized in the financial transaction system of Figure 1 ; 

Figure 3 is a top plan view of the radio frequency financial transaction 
terminal of Figure 2; 

Figure 4 is a block diagram of the radio frequency financial transaction 
terminal of Figure 2; 

25 Figure 5 is a block diagram of a secure integrated circuit device 

forming part of the radio frequency financial transaction terminal of Figure 2; 

Figure 6 is a block diagram of a central network controller forming part 
of the financial transaction system of Figure 1; 

Figure 7 is a flow chart setting forth the steps by which the portable, 
30 radio frequency financial transaction terminal of Figure 2 is programmed and 
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assembled; and 

Figure 8 is a flow chart setting forth an alternative embodiment of the 
steps by which the portable radio frequency financial transaction terminal is 
programmed and assembled. 

5 

BEST MODE FOR CARRYING OUT THE INVENTION 

Referring now to Figure I , a financial transaction system is shown and 
is generally indicated to by reference numeral 10. Financial transaction system 10 
includes a central network controller 12 and a plurality of secure personal 

1 0 identification number entry devices (SPEDs) in the form of portable, hand-held, radio 
frequency (RF) financial transaction terminals 14. The central network controller 12 
and the RF financial transaction terminals 14 communicate via a wireless RF 
communications link 16. The central network controller 12 also communicates with 
host computers at financial institutions (not shown) either via hardwired network 

1 5 services (i.e. DATAPAC), an ISDN interface or alternatively a wireless 

communications network to provide real-time financial transaction processing with 
the host computers. 

Each RF financial transaction terminal 14 includes a financial 
transaction data module 18 for collecting financial transaction data and an RF 

20 transceiver 20 for transmitting a financial transaction request to the central network 
controller and for receiving a financial transaction verification from the central 
network controller 12. The RF transceiver is in the form of an RF modem having an 
internal microcontroller unit (MCU) and an antenna. 

Referring now to Figures 2 to 4, one of the RF financial transaction 

25 terminals 14 is better illustrated. The RF financial transaction terminal includes a 
portable, hand-held outer casing 30 which accommodates the various components of 
the financial transaction data module 1 8 and the RF transceiver 20. The outer casing 
30 includes a top casing shell 30a and a bottom casing shell 30b secured together by 
one way screws 32 so that once assembled, access to the interior of the financial 

30 transaction terminal 1 4 cannot be achieved without physical evidence. A retractable, 
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pistol-grip handle 34 is received in a recess 36 formed in the undersurface of the 
bottom casing shell 30b and is retained by a plurality of fasteners 38 in the form of 
screws. A rechargeable battery 40 is received by a pocket (not shown) in the bottom 
casing shell. A multi-pin universal serial port 42 to connect to an optional bar code 
5 reader, CCD scanner or other similar device (not shown) is also provided in the 

bottom casing shell 30b and is hidden by a sliding cover 44. An auxiliary secure RS- 
232 serial port 94 (see Figure 4) is also provided on the side of the outer casing 30. 

On the top casing shell 30a is an LCD display 50 and an input keypad 
52 to allow financial transaction data to be entered into the financial transaction 

1 0 terminal and displayed. Above the LCD display 50 is a printer 54 housing a paper roll 
to print receipts confirming that financial transactions have been verified and 
processed. A card reader 56 having a card reading slot 58 therein is housed by the 
outer casing 30 adjacent one end thereof. The antenna 60 forming part of the RF 
transceiver 20 is rotatably mounted on the outer casing 30. Details of the antenna 

1 5 design are described in Applicant's co-pending application entitled "Rotatable 
Antenna for Financial Transaction Terminal" filed on even date herewith. 

Within the outer casing 30 is a motherboard on which the internal 
components of the financial transaction terminal are mounted. In particular, the 
financial transaction terminal includes a main central processing unit (CPU) module 

20 70 which communicates with a secure module 72. The functional division of the 
internal components into the main CPU module 70 and the secure module 72 is 
chosen for security. 

The main CPU module 70 includes a printer interface 74 to connect to 
printer 54, an RF TX-RX interface 76 to connect to RF modem 20, a card reader 

25 interface 78 to connect to card reader 56 and a bar code reader interface 80 connected 
to universal serial port 42. The main CPU module 70 is also equipped with a main 
CPU 82 connected to the interfaces allowing the CPU to control the operation of the 
printer, the RF modem, the card reader and the device connected to the universal 
serial port 42. The CPU 82 is also connected to flash memory 84 and static random 

30 access memory 86. The flash memory 84 stores start-up software incorporating a set 
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of routines for initializing the RF financial transaction terminal 14 at power-up. The 
flash memory 84 also stores a system software loader comprising a routine for 
downloading system software into the flash memory 84. Flash memory 84 stores the 
system software (i.e. interrupt handlers, I/O routines, an application software loader, 
5 device drivers etc.) and an applications program area or memory space where a secure 
prompt table and different application programs can be downloaded (i.e. transaction 
verification, application specific services etc.) A photosensor 88 is also provided in 
the main CPU module 70 for security purposes as will be described and is connected 
to the secure module 72. 

1 0 Tne secure module 72 provides cryptographic services and security 

measures to protect the RF financial transaction terminal 14 from software tampering 
that could result in debit, credit or smart card PINs or passwords from being accessed. 
The secure module 72 contains a microcontroller unit in the form of a physically 
encapsulated, one-time programmable (OTP) secure integrated circuit device 90 
1 5 which controls the operation of the LCD display 50, the keypad 52 and a speaker 92 
by way of display, keypad and speaker interfaces 1 10, 108 and 1 12 respectively. The 
secure integrated circuit device 90 also controls an auxiliary secure RS-232 serial port 
94 and an interface 96 to the main CPU module 70. Auxiliary secure serial port 94 
allows updates to data and software used by the financial transaction terminal 14 to be 
20 downloaded. The main CPU module 70 and the secure module 72 receive power 
from the on-board rechargeable battery 40 in a conventional manner. 

The secure integrated circuit device 90 includes a CPU 100, read only 
memory 102 and random access memory 104. The read only memory 102 stores 
system software for auxiliary secure RS-232 port control, display control, control of 
25 communications to the main CPU module 70, keypad control and speaker control 
functions. The random access memory 1 04 is used for cryptographic key and 
encryption algorithm storage, PIN or password storage and system software and 
security software working space. The secure module 72 controls the LCD display 50 
in a split-screen fashion dividing the LCD display into unsecured and secure display 
areas. The information displayed in the secure display area is controlled solely by the 


30 
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secure module 72 while the information displayed in the unsecured display area is 
controlled by the secure module in conjunction with the main CPU module 70. 

A battery backup 120 is provided to protect against inadvertent power 
loss and consequent loss of data stored in the static random access memory 86 and 
5 random access memory 104 in which the cryptographic keys and encryption 
algorithms are stored. Read only memory 104 is designed so as to prevent 
unauthorized reading of its contents. In addition, since the photosensor 88 is within 
the outer casing 30, it is typically isolated from light. However, if the integrity of the 
outer casing 30 is compromised and the interior of the casing is exposed to light, the 
1 0 photosensor 88 triggers the secure integrated circuit device 90 which in turn clears the 
cryptographic keys and encryption algorithms stored in the random access memory 
104 to inhibit an intruder from acquiring the cryptographic keys and encryption 
algorithms. 

Referring now to Figure 6, the central network controller 12 is better 

15 illustrated. The central network controller in this embodiment is connected to a dial- 
up or leased-line telephone line and is powered by a power supply connected to AC 
mains. The central network controller includes a CPU motherboard with a main 
microprocessor 132 and associated memory 134. The main microprocessor 132 is 
connected to an RF transceiver including an RF modem 136 and an antenna 138 for 

20 establishing the RF communications link 1 6 with the various financial transaction 
terminals 14. A network interface 1 40 is provided with DATAPAC 3101 and 320 1 
surface or other similar interfaces. An ISDN interface board may also be provided. A 
serial RS-232 interface 142 is included in the central network controller 12 to allow 
updates to data and software used by the financial transaction terminals 14 and central 

25 network controller 12 to be downloaded. A serial RS-485 interface 144 is also 

provided for optional connection of the central network controller 12 to a retailer's 
existing point-of-sale platforms 

In operation, financial transactions are carried out by bringing one of 
the financial transaction terminals 14 to the location of a user. Transaction data is 

30 entered into the financial transaction terminal via the input keypad 52 and displayed 
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via LCD disp,ay 50. The user's debi,, cred,, or smart is ^ by (he ^ ^ 
56 m .he financial Racier, terminal in che presence of.be user. The user is 
required ,o enter a PIN or password v,a ,he keypad 52. The financial .ransaction 
temuna. 14 does not display the entered PIN or password data or the data read by card 
reader. The secure integrated circui, device 90 encrypts the P,N or password data 
to ,nh,b,, the data from being accessed by unauthorized partes. Once encrypted, a 
financ.al transaction request is generated by the financial transaction terminal .4 
which incudes .he financia, transaction data i.e., the entered transaction data, read 
card da,a and encrypted PIN orpassword). The financial transacion reuues, is .hen 
10 transmitted to ,he cn.ral network controller 12 by the RF modern 20 over the RF 
communications link 16. 

The central network controller 12 in turn conveys .he financial 
transaction request to ,he financial i„s,i t „,i„„ «, lhal lhe „ nmcW ^ ^ 

venfied and processed. Once verified processed, ute financial ins.in.tion conveys 
vesication data .o .he cen.ral nawork controller 12. The centra, network controller 
- .um transmits He verification da.a ,„ ,he financial transaction terminal ,4 .„ inform 
the user that the financial transaction has been verified and pressed. The financia, 
transaction .ermina, i„ turn prints a receipt confirming tha, the transaction has been 
venfied and processed. Further details of«he operation of me financial faction 
•ermmals and cential network conn-oller are described in Applicant co-pending PCT 
appl.ca.ion serial No. PCT/CA96/00104 f„ed onFebruary 22, .996 and designating 
«he Umted States. U,e con.en, of which is incorporated herein by reference. 

When manufactunng a financial transaction terminal 14. i. is necessary 
to populate the motherboard with the in.erna, components of the financia, transaction 
•enmnal, program the main central processing unit module 70 and secure module 72 
.est the financial transaction terminal , 4 and ,hen permanen.lv sea, me outer casing 30 
so mat physical tampering with .he finar.cia, .ransaction termina, is visible. 

To reduce manufacturing costs, it is preferred thai the financial 
.ransaction ,ermina,s are manufacured in large batches. In order ,„ reduce further 
manufacturing cos*, each financia, transaction termina, is assemWed and 


15 


20 


25 


30 
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programmed in the following manner as will now be described with particular 
reference to Figure 7. Initially, the motherboard is populated with the internal 
components of the financial transaction terminal (step 200) and the financial 
transaction terminal is fully assembled (step 202). Once assembled, the secure 
5 integrated circuit device 90 is programmed with the operating system cpmprising the 
system software and the security software which includes the encryption algorithms 
and the cryptographic keys (block 204). The secure integrated circuit device 90 is 
then burned with a security bit (block 206). Steps 204 and 206 are performed by way 
of universal serial port 42, interface 80 and main CPU 82. Once the secure integrated 

10 circuit device 90 has been programmed, the financial transaction terminal is tested 
(step 208) and if the results of the tests are satisfactory, the outer casing 30 is 
permanently sealed (block 210) to inhibit access to the fully programmed secure 
integrated circuit device within the financial transaction terminal 14. 

As those of skill in the art will appreciate, because the financial 

1 5 transaction terminal can be programmed with the operating system after the financial 
transaction terminal has been assembled, manufacturing lead times due to 
programming steps during assembly of the financial transaction terminal can be 
avoided. 

Referring now to Figure 8, another method of assembling and 
20 programming each financial transaction terminal is shown. In this method, the secure 
integrated circuit device 90 is initially programmed with generic system software, test 
function software and a security software applications interface (step 300). The 
motherboard is then populated with the internal components of the financial 
transaction terminal (step 302) and the financial transaction terminal 14 is fully 
25 assembled (step 304). Once assembled, the financial transaction terminal is tested 

(step 306) and is then permanently sealed (step 308). After this, the secure integrated 
circuit device 90 is programmed with the encryption algorithms and the cryptographic 
keys (step 310). The secure integrated circuit device is then burned with a security bit 
(block 31 2). Steps 310 and 312 are performed by way of universal serial port 42, 
30 interface 80 and main CPU 82 to inhibit access to the fully programmed secure 
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10 


secure 


integrated circuit device within the financial transaction terminal. Since the : 
integrated circuit dev.ce 90 is programmed with the security software after the 
financial transaction terminal is permanently sealed, the financial institutions can 
tailor the security features to their specific requirements by verifying the security code 
checksums, programming the secure integrated circuit device and burning the security 
bit, all in their own secure environments. This assembly and two-step programming 
approach for the financial transaction terminal reduces manufacturing lead-times to 
programming operations and provides for good security with excellent flexibility. 

Although the present invention has been described with particular 
reference to radio frequency financial transaction terminals, it should be apparent to 
those of skill in the art that the methodology used to assemble and program the 
financial transaction terminals is equally applicable to stand-alone secure PIN entry 
devices, integrated point-of-sale devices and other secure PIN entry systems.. It 
should also be appreciated that various modifications and variations may be made to 
15 the present invention without departing from the spirit and scope thereof as defined by 
the appended claims. 
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VVhat is claimed is : 

1 . A method of assembling and programming a secure personal 

identification number entry device, said secure personal identification number entry 
device including an outer casing, input means on said casing to allow financial 
transaction data including a personal identification numbers or a password to be 
entered therein, a card reader accommodated by said outer casing to receive and read a 
credit, debit or smart card, a processor within said outer casing and in communication 
with said input means and card reader, said processor including a one-time 
programmable secure integrated circuit device to encrypt said personal identification 
number or password and a transmitter to transmit said financial transaction data 
including the encrypted personal identification number or password to a financial 
institution for processing, said method comprising the steps of: 
(0 populating a printed circuit board with electronic components forming 

said processing means including said one-time programmable secure integrated circuit 
device; 

(") assembling said secure personal identification number entry device; 

and 

("0 programming said one-time programmable secure integrated circuit 

device with security software including an encryption algorithm by way of an external 
port on said outer casing. 

2 - The method of claim 1 farther comprising the steps of testing said 
secure personal identification number entry device and if the results of the tests are 
satisfactory, permanently or hermetically sealing said outer casing. 

3 - Th e method of claim 2 wherein said testing and sealing steps are 
performed after step (iii). 

4 - The method of claim 2 wherein during step (iii) said one-time 
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programmable secure integrated circuit device is also programmed with system 
software. 

5 * The method of claim 2 wherein said testing and sealing steps are 

5 performed after step (ii) and prior to step (iii). 

/ 

6 - The method of claim 5 wherein prior to step (i), said one-time 

programmable secure integrated circuit device is programmed with system software. 

1 0 7 - A secure personal identification number entry device comprising: 

an outer casing; 

input means on said outer casing to allow financial transaction data 
including a personal identification number or password to be entered therein; 

a card reader accommodated by said outer casing to receive and read a 
1 5 credit, debit or smart card; 

a processor within said outer casing and in communication with said 
input means and said card reader, said processor including a one-time programmable 
secure integrated circuit device to encrypt said personal identification number or 
password; 

20 a transmitter to transmit said financial transaction data including the 

encrypted personal identification number or password to a financial institution for 
processing; and 

an external port on said outer casing electrically connected to said 
processor to allow said one-time programmable secure integrated circuit device to be 
25 programmed with security software after assembly of said secure personal 
identification number entry device. 
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8 - A secure personal identification number entry device as defined i 

claim 7 wherein said external port is a RS-232 serial port. 
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9. In a method for assembling and programming a secure personal 

identification number entry device to generate a financial transaction request from 
entered financial transaction data including an encrypted personal identification 
number or password, the improvement comprising the step of: 
5 (i) programming said secure personal identification number entry device 

with security software including an encryption algorithm by way of an external port 
on said secure personal identification number entry device after said secure personal 
identification number entry device has been assembled. 

10 10- The method of claim 9 further comprising the step of permanently or 

hermetically sealing said secure personal identification number entry device after step 
(0- 

1 1 ■ The method of claim 10 further comprising the step of permanently or 

1 5 hermetically sealing said secure personal identification number entry device prior to 
step (i). 
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